Penetration Testing Vs Vulnerability Assessments

read -

Published 31-Jan-2017 17:23:27

If you do some casual research you’ll see a lot of companies claiming to provide vulnerability assessments.

Vulnerability assessments involve running automated remote tools which generate reams of largely meaningless data. Some organisations may be tempted to think they have got a tick in the compliance box just by going through an exercise like that, but they often don’t know how to act on the information they receive. Nothing gets fixed, and you remain ripe for a cyber-attack.

Fixed-price penetration testing

Vohkus’s penetration test service incorporates a significant proportion of manual analysis by subject matter experts. It structures the tests carefully, correlates the results, and identifies root causes of problems and key remediation actions. The aim is to help the customer prioritise and fix things, and the process is repeated until every vulnerability has been eliminated.

It’s this keep-at-it-until-everything-is-secure that differentiates Vohkus’s approach. But unlike some cyber security firms, Vohkus delivers its penetration testing service at a fixed price. It’s able to do this because it’s rigorous in the way it scopes projects.

Scoping a penetration testing project

Vohkus’s process involves drilling deep to get specific IP ranges that belong to the client, and doing a pre-sales ‘crawl’ of the web to establish how long testing will take. In this way Vohkus can also limit any activity that could compromise live services, such as denial-of-service attack tests.

Customers often don’t realise the physical and legal complexities involved in the scoping process. There could be a whole swathe of systems that might appear associated with the client but that in fact have nothing to do with it; the customer could effectively end up paying for the testing of systems it doesn’t need to.

When Vohkus conducts this research task the customer needs to verify which assets belongs to it before Vohkus can run tests, otherwise it could be open to charges of hacking.

What happens during penetration testing?

An initial structured penetration testing programme normally takes several days, following which a report with recommended fixes is supplied to the customer. Once these have been addressed a re-test is carried out to confirm compliance. Vohkus’s work is carried out remotely offsite and out-of-hours, so as not to disrupt normal operations.

Penetrating testing can identify other issues; for example, during one test a connectivity problem affecting one of the customer’s service providers was discovered. The customer was able to fix the resulting slow performance and improve its user experience.

Once a penetration test has been completed, Vohkus can optionally work through a customer’s web apps, searching for scripting vulnerabilities that could compromise data. SQL injection techniques, for example, have caused major damage to a number of household name organisations when customer data has been accessed and stolen, and Vohkus’s report can provide confidence that the organisation is protected from that kind of malicious activity.

Arranging your penetration test

A penetration test should be conducted at least annually to ensure that systems are secure and best practice is being followed. Vohkus offers a free retest within 90 days, along with a detailed report with prioritised actions and resolution suggestions.

Penetration tests protect your business and valuable data. You can avoid the cost and disruption of an attack, as well as avoiding the cost of network downtime. Vohkus’s report enables you to demonstrate that your internal audit and governance procedures are working and you it meet all external regulatory requirements. It shows that your organisation takes its responsibilities seriously and that you’re worthy of the trust of your clients, partners and suppliers.